Snapchat and American Express users suffer from an open redirect flaw

Open redirect flaw exploited for phishing purposes

Snapchat and American ExpressEmail used to deliver malicious links exploiting domain flaw

Researchers have found that attackers are exploiting an open redirect flaw[1] to steal people's credentials and personally identifiable information[2] using American Express and Snapchat domains. Cybercriminals impersonated several well-known companies, including Microsoft, and FedEx.

An open redirect flaw allows threat actors to manipulate the URLs of legitimate domains to redirect users to malicious sites. The vulnerability is known as CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’).[3] Researchers observed the malicious campaign for two months and detected in how many emails the vulnerability was used.

The snapchat[.]com open redirect flaw was found in 6,812 phishing emails[4] that were sent from various hijacked accounts. The americanexpress[.]com open redirect vulnerability was detected in 2,029 phishing emails that originated from newly created domains.

The development of the attack

At first, both campaigns started with the usual social engineering methods[5] where crooks would try to trick users into clicking on malicious links or opening infected attachments. They also used exploits in which attackers inserted personally identifiable information so the malicious landing pages would be customized for individual users.

Victims would think that they were being redirected to safe sites. However, they would end up on malicious pages that steal their credentials or infect them with malware. In the Snapchat phishing emails, crooks were impersonating DocuSign, FedEx, and Microsoft. All the emails included had Snapchat open redirects that led to Microsoft credential harvesting sites.

The Snapchat domain vulnerability was unpatched at the time of the campaign. The American Express open redirect flaw was also unpatched. However, soon after the malicious campaign began, American Express patched the vulnerability. If users click on the malicious links in the phishing emails now, they would be taken to the real American Express error page.

Users should be more aware of the malicious tactics

Domain vulnerabilities are rarely taken seriously by the website owners simply because they do not allow attackers to steal data from the site itself. The only thing they may do is harm the websites' reputations. A simple solution would be to implement a list of approved safe links to stop the open-redirect abuse.

The real victims of these attacks are regular users. Their personal data, login details, and even money may be stolen. That is why everyone should take steps to protect their own privacy and security. According to security experts, people should stay away from URLs that include:

  • url=
  • redirect=
  • external-link
  • proxy

These strings indicate that a trusted domain might redirect to another site. Those who receive emails with links should also check if they include “http” in the URL, which is another potential indication of a redirect. Additionally, links that start with “http” indicate that the website does not use end-to-end encryption. Meaning, that any information entered into such a page could be accessed by threat actors.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions